CIS CSC #8 – Malware Defenses

I am working on a series of posts related to the Center for Internet Security (CIS) Critical Security Controls (CSCs). See the full listing here.

Control the installation, spread, and execution of malicious code at multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of defense, data gathering, and corrective action.

This control includes eight (8) sub controls. For those of you reviewing the CIS Controls with the Implementation Groups in mind, there three (3) IG1 controls and eight (8) IG2 controls. This means that, at a minimum, we want to:

Ensure that the organization’s anti-malware software updates its scanning engine and signature database on a regular basis.

Configure devices so that they automatically conduct an anti-malware scan of removable media when inserted or connected.

Configure devices to not auto-run content from removable media.

If you’ve been implementing the CIS Controls in order, this control should be a safety check, or a second layer of defense, rather than a primary control for stopping malware in its tracks. Since we’re focusing these short write-ups on IG1, we may not have application whitelisting in place, but we should have a good handle on a software inventory and a vulnerability scanning process.

Many organizations deploy laptops and other mobile devices to end users, which adds complexity to the managing, updating, and reporting processes. Ensuring the anti-malware tool of your choosing stays up to date is critical, and in many networks now, this means configuring the tool to poll to a secondary source when the device is not on the corporate LAN or VPN. You should look for a solution that allows endpoints to receive frequent updates, typically several times a day, regardless of the network they are connected to. Additionally, you should be able to monitor for detection of suspicious or known-malicious files, even when the device is not on the corporate LAN or VPN.

Hopefully the configuration standard you created back in Control #5 included addressing the use of removable media. Reducing the different types of removable media will not only help prevent the loss of data, but can also reduce the likelihood that an employee connects a USB drive or inserts an SD card containing malware. More than likely, you will have to allow some form of removable media. In those cases, you want to make sure autorun is disabled and immediately scan the contents of that drive.